The indictment, filed on July 11 in Wisconsin District Court, says that "Defendant Marcus Hutchins created the Kronos malware," alongside another person, whose name has been redacted from the filing. Between July 2014 and July 2015, the two "intentionally cause[d] damage without authorization to 10 or more protected computers," it says.
A spokeswoman for the FBI's Nevada office referred PCMag to the Department of Justice, which did not immediately respond to a request for comment.
Hutchins made headlines in May when he stopped the spread of the WannaCry by accident. He noticed the ransomware "queried an unregistered domain, which I promptly registered." But WannaCry looks to connect to that unregistered domain. If it can't connect, "it ransoms the system," MalwareTech explained. If it connects to the domain, though, "the malware exits" and the system is not compromised. After the registration, WannaCry connected to the domain and was stopped in its tracks.
According to the indictment, Hutchins's alleged co-conspirator posted a video that demonstrated how the Kronos malware worked on July 13, 2014. The person then offered to sell the Kronos banking trojan for $3,000 "on an internet forum."
Hutchins reportedly helped this person update the Kronos malware in February 2015, after which it was advertised for sale on the (now-defunct) AlphaBay dark web forum. In June 2015, it sold for about $20,000 in digital currency, the indictment says.
As some have pointed out online, Hutchins requested a Kronos sample on the day the video in question went up.
Anyone got a kronos sample?
— MalwareTech (@MalwareTechBlog) July 13, 2014